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TIME STAMPING METHOD EMPLOYING 
MULTIPLE RECEIPTS LINKED BY A NONCE 

BACKGROUND OF THE INVENTION 
The present invention relates generally to cryptographic protocols and, 
more particularly, to a time-stamping protocol for time-stamping digital 
documents. 

There are times when it is desirable to prove the existence of a document 
as of a particular date. For example, patent disputes concerning the inventorship 
of an invention often turn on who is able to produce corroborating documentary 
evidence dating their conception of the invention. A common procedure for 
dating records is to keep the records in a daily journal or notebook with each 
page sequentially numbered and dated. Another procedure for dating a record is 
to have the record witnessed by an uninterested or trusted party that can attest to 
the existence of the document. The increasing use of computers, however, 
makes these time-stamping methods obsolete. It is relatively easy to change the 
date-stamp added to a document by the computer when the document was 
created. Further, while it is difficult to alter a paper document without leaving 
some signs of tampering, digital records can be easily altered or revised without 
leaving any evidence of tampering. Therefore, people are less likely to trust a 
digital document than a paper document that has been time-stamped using 
conventional time-stamping procedures. 
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To be trusted, a time-stamping procedure for digital documents should 
meet the following criteria: 

1 . The data itself must be time-stamped, without any regard to the 
physical medium on which it resides. 

2. It must be impossible to change a single bit of the data without that 
change being apparent. 

3. It must be impossible to timestamp a document with a date and 
time different than the current date and time. 

One method for time-stamping a digital document would be to archive the 
document with a trusted escrow agent. In this case, the document originator 
sends a copy of the digital document to a trusted escrow agent. The escrow 
agent records the date and time that the document was received and retains a 
copy in his archives. Later, if a dispute arises over the date of the document, the 
document originator can contact the escrow agent who produces his copy of the 
document and verifies that it was received on a particular date. This time- 
stamping procedure has a number of drawbacks. First, the document originator 
must disclose the contents of the document to the escrow agent. Also, large 
documents take a relatively long period of time to transmit to the escrow agent 
and they require a large amount of data storage. 

An improvement of the escrow procedure is to use a hash of the 
document. Instead of sending the document to the escrow agent, the document 
originator hashes the document using a one-way hash algorithm and sends the 
generated hash value to the escrow agent. The escrow agent stores the hash 
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value along with the date and time that it was received In his archives. Later the 
document originator can use the services of the escrow agent to prove the 
existence of the document as of a particular date. The disputed document can 
be hashed and the resulting hash value can be compared to the hash value 
stored by the escrow agent in his archives for equality. If the hash values are 
equal, the document is presumed to be in existence as of the date associated 
with the stored hash value. One advantage of this method is that the document 
originator does not need to disclose the contents of the document to the escrow 
agent. 

The need to escrow the document or hash value can be eliminated by 
having a time stamping authority generate a certified time stamp receipt using a 
cryptographic signature scheme as taught in U.S. Pat. No. Re. 34,954 to Haber 
et al. and Fischer, U.S. Patent No. 5,001 ,752. In this case, the document 
originator hashes the document and transmits the hash value to the time 
stamping authority. The time stamping authority appends the current date and 
time to the hash value to create a time stamp receipt and digitally signs the time 
stamp receipt with a private signature key. The time stamping authority's public 
verification key is distributed and available to anyone interested in validating a 
time stamp receipt created by time stamping authority. The public verification 
key is typically stored in a public key certificate signed by a Certification Authority 
so that anyone desiring to validate the time stamp receipt with the public key can 
have confidence in the authenticity of the key. 



3 



SUMMARY OF THE INVENTION 
The present invention is a time-stamping protocol for time-stamping digital 
documents so that the date of the document can be verified. The method 
presumes the existence of a trusted agent referred to herein as the time- 
stamping authority (TSA). According to the present invention, a requestor sends 
a document to be certified or other identifying data associated with the document 
to a time-stamping authority TSA. The TSA creates a two part time stamp 
receipt based on the document and a time indication. The first part of the time 
stamp receipt is made by combining the identifying data with a nonce. The 
second part of the time stamp receipt is made by combining a time indication with 
the nonce. The nonce serves as a link between the two parts of the time stamp 
receipt. Each part is separately signed and transmitted by the TSA to the 
requestor. 

BRIEF DESCRIPTION OF THE DRAWINGS 
Figure 1 Is a flow diagram illustrating the time stamping method 
embodiment of the time stamping method of the present invention. 

DETAILED DESCRIPTION OF THE INVENTION 
Figure 1 is a flow diagram illustrating the general process of time-stamping 
a document according to the present invention. A document D Is created at step 
100. The document D is presumed to be in digital form and may comprise any 
alphanumeric, audio, or graphic presentation of any length. The document D 
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may optionally be hashed at step 102 using a one-way hashing function. A hash 
function is a function that tal<es a variable length input string, called a pre-image, 
and converts it to a fixed-length string, called a hash value, denoted H. The pre- 
image in this case is the document D or selected portions thereof. A one-way 
hash function operates in only one direction. While, it is easy to compute a hash 
value from the pre-image, it is computationally impractical to find a pre-image 
that hashes to a given hash value. Thus, it is practically impossible to recover 
the pre-image given the hash value and knowledge of the hash algorithm. 
Another feature of a hashing function is that it is difficult to find any two pre- 
images that hash to the same value. 

There are several advantages to sending a hash value H produced on 
document D instead of the document D itself. First, the hash value H improves 
security by functioning as a fingerprint of the document D. Changing a single bit 
in the document D will result in an entirely different hash value making it easy to 
detect efforts to modify a document D or hash value H. Second, the hash value 
H greatly reduces the amount of data that must be transmitted to the TSA. This 
factor can be important where the available bandwidth is limited. Third, by 
sending a hash value H in place of the document D, the content of the document 
D does not need to be disclosed to the TSA. 

Any known hashing function, such as the SHA-1, MD5, and RIPEMD-160, 
can be used in the present invention. For the remaining description of the time 
stamping protocol, it will be assumed that the document D has been hashed and 
that the hash value H has been sent to the TSA in lieu of the document D. It is 
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understood, however, that one can practice the invention by substituting D, 
selected portions of document D, or some other function of D in place of the hash 
value H in the protocol. 

The hash value H generated on document D or a selected portion thereof 
is transmitted to and received by the TSA at step 104. After receiving the hash 
value H, the TSA generates a random value called a nonce N at step 106 and 
uses the nonce N and the current time T to generate a two-part time stamp 
receipt R at steps 108 and 110. Other optional data, such as an identification 
number ID of the document originator and/or a sequential record number SN 
could also be used to generate the time stamp receipt R. The optional data can 
be provided by the document originator or generated by the TSA. The current 
time T is generated by a trusted clock controlled by the TSA or alternatively 
obtained by the TSA from a trusted source. 

The first part of the time stamp receipt R, denoted Ri, is generated by 
concatenating the hash value H generated on document D with the nonce N. 
Thus. Ri is represented by the string (H, N). The second part of the time receipt 
R, denoted R2, is generated by concatenating the current time T and the nonce N 
and is represented by the string (T, N). Optional data such as the user 
identification number ID and/or sequential record number SN can be included in 
either part Ri or R2 or, alternatively, each part may include a portion of the 
optional data. 

The TSA separately signs the first and second receipts Ri or R2 at step 
1 12 to generate a certified time stamp receipts denoted sig(Ri) and sig(R2). The 
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receipts Ri or Raare signed using the ISA's private signature generation key 
KpR. The signature generation key Kpr is part of a public and private key pair 
(Kp, Kpr) used by the TSA to certify time stamp receipts. The private key is 
known only to the TSA. The public verification key Kp is made available to the 
public so that anyone interested can verify or authenticate the TSA's signature. 
The public verification key Kpcan be stored in a certificate signed by a 
Certification Authority CA so that the TSA's public key Kr can be validated and, 
hence, trusted by those using the public key Kr. Any known cryptographic 
signature scheme can be used by the TSA including, for example, the RSA 
algorithm. 

At step 1 14, the TSA transmits the signed time stamp receipts sig(Ri) 
and/or sig(R2) to the requestor and the procedure ends. 

In the event that a dispute arises concerning document D, the existence 
and substance and the document D as of a particular date can be proved by 
means of the two-part time stamp receipt. To verify the document D, the TSA's 
signature on the first and second time stamp receipts sig(Ri) and sig(R2) are first 
verified using the TSA's public verification key Kp. Next, the disputed document 
D is verified against the hash value H contained in the first receipt sig(Ri). In 
cases where the first receipt sig(Ri) includes a hash value H generated on 
document D, a hash value H is generated on the disputed document D and 
compared for equality to the hash value H contained in the first part of the time 
stamp receipt sig(Ri). The date or time of the document D is verified by 
comparing the nonce N contained in the first receipt sig(Ri) with the nonce N 



contained in the second receipt sig(R2). if the values of N are equal, the time T 
in the second receipt sig(R2) is taken to be the priority date of the document D. 

In the described invention, the values H and N in Ri are cryptographically 
bound together by signing Ri with the ISA's private signature generation key Kpr 
and likewise the values T and N in R2 are cryptographically bound together by 
signing R2 with the ISA's private signature generation key Kpr. Ihose skilled in 
the art will recognize that other cryptographic binding methods could be 
employed, and that the present invention is not limited to a binding method based 
solely on or restricted solely to certification methods based on digital signatures. 
Alternatively, the binding operation could be based on IVIessage Authentication 
Codes (MACs). In that case, the ISA would compute message authentication 
codes, MAC1 and MAC2, on Ri and R2, respectively, using a secret MAC key K. 
However, unlike digital signatures, which can be validated by anyone possessing 
the public key, MAC1 and MAC2 can only be validated by the ISA possessing 
the secret key K. However, if the secret MAC key were shared with some other 
trusted third party, then the MACs could be validated by that trusted third party, 
as well. Hence, even when MACs are used, it is possible for disputes arising 
concerning document D to be settled by some trusted third party, in addition to 
the original ISA who created the MACs. Ihe binding operation may also be 
performed using encryption techniques, e.g., by separately encrypting Ri and R2 
under a secret key using a symmetric key algorithm or a public key using a public 
key algorithm. Ihe binding operation may also be performed using hashing 
techniques, e.g., by separately hashing Ri and R2 using a hashing algorithm and 
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then storing the respective hash values in a repository with integrity, so that one 
is assured that the hash values cannot be changed. 

The time-stamping procedures described herein may be implemented 
using general purpose programmable computers. A client program running on a 
user's computer could perform the steps of hashing documents and transmitting 
documents or hash values to the TSA. A server application running on a general 
purpose programmable computer controlled by the TSA could perform the steps 
of generating time stamp receipts, signing time stamp receipts, generating 
certificates, and transmitting signed time stamp receipts to users. It would also 
be possible to implement some or all of the steps in firmware, or in hard-wired 
logic. 

The present invention may, of course, be carried out in other specific ways 
than those herein set forth without departing from the spirit and essential 
characteristics of the invention. The present embodiments are, therefore, to be 
considered in all respects as illustrative and not restrictive, and all changes 
coming within the meaning and equivalency range of the appended claims are 
Intended to be embraced therein. 
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Claims: 

1 . A method for time-stamping a document comprising: 

a. receiving identifying data associated with a document D at an 
outside agency; 

b. creating at said outside agency a first receipt based on said 
identifying data and a linking value; 

c. creating at said outside agency a second receipt based on said 
linking value and a time indication; 

d. certifying said first and second receipts at said outside agency 
using a cryptographic signature scheme. 

2. The time-stamping method of claim 1 wherein said identifying data 
comprises a digital representation of at least a portion of said document. 

3. The time-stamping method of claim 2 wherein said identifying data 
comprises a digital sequence derived by application of a deterministic function to 
at least a portion of said document. 

4. The time-stamping method of claim 3 wherein said digital sequence is a 
hash value derived by application of a one-way hashing function to at least a 
portion of said document. 
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5. The time-stamping method of claim 1 wherein said first receipt includes at 
least a portion of said identifying data and a nonce. 

6. The time-stamping method of claim 1 wherein said first receipt includes a 
digital sequence generated by applying a pre-determined function to said 
identifying data. 

7. The time-stamping method of claim 1 wherein one of said first and second 
receipts includes a user identification number associated with a user. 

8. The time-stamping method of claim 7 wherein one of said first and second 
receipts includes a sequential record number. 

9. A method for time-stamping a document comprising: 

a. transmitting identifying data associated with said document to an 
outside agency; 

b. receiving from said outside agency a first receipt signed by said 
outside agency using a cryptographic signature scheme, said first receipt 
including a first digital sequence generated based on said identifying data and a 
linking value; and 

c. receiving from said outside agency a second receipt signed by said 
outside agency using a cryptographic signature scheme, said second receipt 
containing a second digital sequence based on a time indication and said linking 
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value. 



10. The time-stamping method of claim 9 wherein said identifying data 
comprises a digital representation of at least a portion of said document. 

1 1 . The time-stamping method of claim 10 wherein said identifying data 
comprises a digital sequence derived by application of a deterministic function to 
at least a portion of said document. 

12. The time-stamping method of claim 1 1 wherein said digital sequence is a 
hash value derived by application of a one-way hashing function to at least a 
portion of said document. 

1 3. The time-stamping method of claim 9 wherein said first receipt includes at 
least a portion of said identifying data and a nonce. 

14. The time-stamping method of claim 9.wherein said first receipt includes a 
digital sequence generated by applying a pre-determined function to said 
identifying data. 

1 5. The time-stamping method of claim 9 wherein one of said first and second 
receipts includes a user identification number associated with a user. 
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1 6. The time-stamping metliod of claim 1 5 wlierein one of said first and 
second receipts includes a sequential record number. 

1 7. The time-stamping method of claim 9 wherein a common cryptographic 
signature scheme is used to sign both said first and second receipts. 

18. The time-stamping method of claim 9 wherein different cryptographic 
signature schemes are used to sign said first and second receipts. 

19. The time-stamping method of claim 9 wherein said linking value is a nonce 
value. 
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ABSTRACT OF THE DISCLOSURE 



A method for time stamping a digital document employs a two-part time 
stamp receipt. The first part of the time stamp receipt includes identifying data 
associated with a document and a nonce. The second part of the time stamp 
receipt includes a time indication and the nonce. The nonce serves as a link 
between the first and second parts. 



14 



-100 



DOCUMENT D 
CREATED 



DOCUMENT D 
HASHED 



HASH 
RECEIVED BY 
TSA 



GENERATE 
NONCE 



GENERATE 
FIRST PART 
OF RECEIPT 



GENERATE 
SECOND 
PART OF 
RECEIPT 



102 



104 



106 



112 



SIGN BOTH 
PARTS OF 
RECEIPT 



114 



TRANSMIT 
RECEIPT 



END ^ 



108 



■110 



FIG. 1 



P-4541 .004/RSW9-99-089 



Declaration and Power of Attorney for 
Patent Application 

As a below named inventor, I hereby declare that: 

My residence, post office address and citizenship are as stated below next to my name; I believe I am the 
original, first and sole inventor (if only one name is listed below) or an original, first and joint inventor (if 
plural names are listed below) of the subject matter which is claimed and for which a patent is sought on 
the invention entitled 

TIME STAMPING METHOD EMPLOYING MULTIPLE RECEIPTS LINKED BY A NONCE 

the specification of which (check one) 
[xx~| is attached hereto. 

I I was filed on as Application Serial No. . 



j hereby state that i have reviewed and understand the contents of the above- identified specification, 
including the claims, as amended by any amendment referred to above. 

I acknowledge the duty to disclose information which is material to the patentability of this application in 
accordance with Title 37, Code of Federal Regulations, §1.56. 

I hereby claim foreign priority benefits under Title 35, United States Code, §119 of any foreign 
application(s) for patent or inventor's certificate listed below and have also identified below any foreign 
application for patent or inventor's certificate having a filing date before that of the application on which 
priority is claimed: 

Prior Foreign Application(s): 

Number Country Day/MonthATear Priority Claimed 



I hereby claim the benefit under Title 35, United States Code, §120 of any United States application(s) 
listed below and, insofar as the subject matter of each of the claims of this application is not disclosed in 
the prior United States application in the manner provided by the first paragraph of Title 35, United States 
Code, §112, I acknowledge the duty to disclose information material to the patentability of this application 
as defined in Title 37, Code of Federal Regulations, §1.56 which occurred between the filing date of the 
prior application and the national or PCT international filing date of this application: 

Prior U.S. Applications: 

Serial No. Filing Date Status 



I hereby declare that all statements made herein of my own knowledge are true and that all statements 
made on information and belief are believed to be true; and further that these statements were made with 
the knowledge that willful false statements and the like so made are punishable by fine or imprisonment, 
or both, under Section 1001 of Title 18 of the United States Code and that such willful false statements 
may jeopardize the validity of the application or any patent issued thereon. 



1 



P-4541 .004/RSW9-99-089 



As a named inventor, I hereby appoint the following attorneys and/or agents to prosecute this application 
and transact all business in the Patent and Trademark Office connected therewith: 

AB Clay Reg No. 32,121; G. M. Doudnikoff, Reg. No. 32,847; E H. Duffield, Reg. No. 25,970; J. W. 
Herndon Reg. No. 27,901; J. S. Ray-Yarietts, Reg. No. 39,808; Larry L Coats, Reg. No. 25,620. David 
E Bennett, Reg. No. 32,194; John R. Owen. Reg. No. 42,055; Benjamin S. Withrow, Reg. No. 40,876; 
David D. Kalish, Reg. No. 42,706; Steve Terranova, Reg. No. 43,185; Taylor M. Davenport, Reg. No. 
42,466; and Michael D. Murphy, Reg. No. 44,958. 



Send all correspondence to: 



IBM Corporation, Dept. T81/062 
3039 Cornwallis Road 
RTF, NC 27709 
919-543-2541 
FAX: 919-254-4330 



(1) 



Inventor: 



Mohammad Peyravian 



Signature: 
Residence: 



Gary, North Carolina, USA 



Date 



Citizenship: 

Post Office 
Address: 



US 

122 Lake Hollow Circle, Cary, North Carolina 27513 



(2) Inventor: 
Signature: 



Allen Roginsky 



Date 



Residence: 



Durham, North Carolina, USA 



Citizenship: US 

Post Office 5610 Loyal Avenue, Durham, North Carolina 27713 

Address: 



2 



P-4541 .004/RSW9-99-089 



Inventor: Nevenko Zunic 

Signature: Date 

Residence: Wappingers Falls, New York, USA 

Citizenship: US 

Post Office 45 Reggie Drive, Wappingers Falls, New York 12590 
Address: 

Inventor: Stephen M. Matyas, Jr, 

Signature: Date 

Residence: Manassas, Virginia, USA 

Citizenship: US 

Post Office 10298 Cedar Ridge Drive, Manassas, Virginia 201 10 
Address: 



